US20070208854A1 - Network interface device - Google Patents

Network interface device Download PDF

Info

Publication number
US20070208854A1
US20070208854A1 US11/367,765 US36776506A US2007208854A1 US 20070208854 A1 US20070208854 A1 US 20070208854A1 US 36776506 A US36776506 A US 36776506A US 2007208854 A1 US2007208854 A1 US 2007208854A1
Authority
US
United States
Prior art keywords
security
service
rule
traffic management
logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US11/367,765
Other versions
US7970899B2 (en
Inventor
Santa Wiryaman
Manickam R. Sridhar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Barracuda Networks Inc
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US11/367,765 priority Critical patent/US7970899B2/en
Assigned to CONVERGED ACCESS, INC. reassignment CONVERGED ACCESS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SRIDHAR, MANICKAM, WIRYAMAN, SANTA
Publication of US20070208854A1 publication Critical patent/US20070208854A1/en
Priority to US12/360,520 priority patent/US20100031323A1/en
Assigned to BARRACUDA NETWORKS, INC. reassignment BARRACUDA NETWORKS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CONVERGED ACCESS, INC.
Priority to US12/551,169 priority patent/US7987267B2/en
Priority to US12/551,147 priority patent/US8069244B2/en
Application granted granted Critical
Publication of US7970899B2 publication Critical patent/US7970899B2/en
Assigned to SILICON VALLEY BANK reassignment SILICON VALLEY BANK SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BARRACUDA NETWORKS, INC.
Assigned to BARRACUDA NETWORKS, INC. reassignment BARRACUDA NETWORKS, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT
Assigned to GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT reassignment GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT FIRST LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT Assignors: BARRACUDA NETWORKS, INC.
Assigned to GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT reassignment GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT SECOND LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT Assignors: BARRACUDA NETWORKS, INC.
Assigned to BARRACUDA NETWORKS, INC. reassignment BARRACUDA NETWORKS, INC. RELEASE OF SECURITY INTEREST IN INTELLECTUAL PROPERTY RECORDED AT R/F 045327/0934 Assignors: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT
Assigned to GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT reassignment GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT SECOND LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT Assignors: BARRAUDA NETWORKS, INC.
Assigned to BARRACUDA NETWORKS, INC. reassignment BARRACUDA NETWORKS, INC. RELEASE OF FIRST LIEN SECURITY INTEREST IN IP RECORDED AT R/F 045327/0877 Assignors: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT
Assigned to BARRACUDA NETWORKS, INC. reassignment BARRACUDA NETWORKS, INC. RELEASE OF SECOND LIEN SECURITY INTEREST IN IP RECORDED AT R/F 054260/0746 Assignors: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT
Assigned to UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT reassignment UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BARRACUDA NETWORKS, INC.
Assigned to KKR LOAN ADMINISTRATION SERVICES LLC, AS COLLATERAL AGENT reassignment KKR LOAN ADMINISTRATION SERVICES LLC, AS COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BARRACUDA NETWORKS, INC.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes

Definitions

  • This description relates to a network interface device integrating security and traffic management functions.
  • IP Internet Protocol
  • a device such as a firewall can be deployed at the boundary between the local area network and a wide area network (e.g., the Internet) to prevent unauthorized access from sources external to the network.
  • Firewalls serve as a point of network access where incoming traffic from remote sources and outgoing traffic to the Internet can be analyzed and controlled.
  • IP networks today carry multiple types of traffic, such as voice, video, email, and web traffic to name a few.
  • QoS quality of service
  • Maintaining the requisite level of quality of service generates specific constraints as services have different characteristics.
  • voice services are sensitive to both delay and delay variations as distortions of the voice may drastically impact the quality and/or interactivity of the communication, but are generally tolerant to some loss.
  • Video services are insensitive to delay as compared to voice services, but may be more sensitive to delay variations and loss.
  • Data services in general are largely immune to delay and delay variations, but are sensitive to loss. Uncontrolled traffic in data services have the tendency to consume the entire available pipe simply by the nature of the transport protocol used to transfer the data.
  • Security and traffic management functions are typically implemented by two separate network devices or two separate logical components of a single physical package that are coupled in series and configured independently of each other by different personnel. Miscommunication between the personnel can lead to conflict during operation of the security and traffic management functions. Further, as the two functions behave independently of each other, packet classification is performed twice (once by each function), which adds to processor load and increases latency.
  • implementations of the invention feature a method for defining a policy including a set of rules for a packet forwarding device.
  • the method includes receiving information sufficient to enable a first rule related to one of security or traffic management to be defined, and based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined.
  • implementations of the invention feature an apparatus that includes management logic and coordination logic.
  • the management logic is configured to receive information sufficient to enable a first rule related to one of security or traffic management to be defined, enable a corresponding second rule related to the other one of security or traffic management to be defined based on the received information, and store attributes of the first rule and attributes of the second rule in a configuration database.
  • the coordination logic is configured to send a first signal to a first engine of a packet forwarding device to notify the first engine of the newly-stored attributes of the first rule, and send a second signal to a second engine of the packet forwarding device to notify the second engine of the newly-stored attributes of the second rule.
  • implementations of the invention feature a network device that includes a first network interface and a second network interface, each of the network interfaces being capable of bi-directional communication; a policy including a set of rules for the device, the set of rules including security rules and traffic management rules; a security engine to filter packets received at the first network interface of the device, the security engine comprising logic to classify each of the packets received at the first network interface, and logic to process the classified packets in accordance with one or more of the security rules to identify accepted packets; and a quality of service engine to schedule the accepted packets for transmission through the second network interface of the device, the quality of service engine comprising logic to queue the accepted packets for transmission based on the classifying performed by the security engine, and logic to process each of the accepted packets queued for transmission in accordance with one or more of the traffic management rules.
  • Implementations of the invention may include one or more of the following advantages.
  • Another advantage of this invention is that the dynamically negotiated ports can be identified by the classification engine and dynamically used to open pinholes in the firewall while simultaneously identifying the parent and child flows to be processed by the traffic management engine.
  • FIG. 1 shows a communication system
  • FIGS. 2 and 3 each show a block diagram of an interface device.
  • FIG. 4 shows a backend system for use in configuring an interface device.
  • FIGS. 5 , 6 a - 6 e , and 7 each show a screen shot of a graphical user interface for use in configuring an interface device.
  • FIG. 1 shows a communication system 100 in which an interface device 110 supporting voice, video, and data services is deployed at an intersection of a private network 102 and a public network 104 .
  • the private network 102 can include one or more networks, such as a local area network (LAN) and a wireless local area network (WLAN).
  • LAN local area network
  • WLAN wireless local area network
  • Each of the LAN and the WLAN includes nodes that are connected using wired, wireless, or optical connections.
  • the nodes are personal computers 112 , laptops 114 , Voice over IP (VoIP)-enabled devices 116 , and other devices 118 that are capable of transmitting/receiving voice, video, and/or data communications.
  • VoIP Voice over IP
  • the public network 104 can include one or more networks, such as the Internet, an intranet, another LAN, and/or a wide area network (WAN).
  • the interface device 110 manages bi-directional traffic between the private network 102 and the public network 104 .
  • the bi-directional traffic can include packets of a variety of protocols, such as the Internet Protocol (IP), the Session Initiation Protocol (SIP), the User Datagram Protocol (UDP), the Transmission Control Protocol (TCP), the File Transfer Protocol (FTP), the Post Office Protocol 3 (POP3), the Simple Mail Transfer Protocol (SMTP), and the Real-time Transport Protocol (RTP), that carry a variety of application traffic.
  • IP Internet Protocol
  • SIP Session Initiation Protocol
  • UDP User Datagram Protocol
  • TCP Transmission Control Protocol
  • FTP File Transfer Protocol
  • POP3 Post Office Protocol 3
  • SMTP Simple Mail Transfer Protocol
  • RTP Real-time Transport Protocol
  • the interface device 110 includes a first interface (e.g., “private interface” 202 ) to the private network 102 and a second interface (e.g., “public interface” 204 ) to the public network 104 .
  • a first interface e.g., “private interface” 202
  • a second interface e.g., “public interface” 204
  • each of the interfaces 202 , 204 is depicted as a discrete component of the interface device 110
  • each interface 204 , 204 can be implemented as a single component that supports bi-directional communication or separate components (e.g., a transmit port and a receive port) each supporting uni-directional communication.
  • the interface device 110 also includes security logic 206 and traffic management logic 208 for handling packets passing between the private network 102 and the public network 104 . Details of each of the security logic 206 and the traffic management logic 208 are described below with reference to FIG. 3 .
  • the interface device 110 also includes other logic not depicted in FIG. 2 to aid in the reception, processing, and transmission of packets between the private network and the public network. Such logic can include packet routing logic, SIP-based call processing logic, VPN, Frame relay and ATM stacks, various device drivers etc., to name a few.
  • the logic included in the interface device 110 can be implemented as hardware (e.g., an application specific integrated circuit or a field programmable gate array), software, or a combination of both.
  • the interface device 110 further includes a policy table 210 that specifies how different classes of data flows are to be processed in accordance with a policy set in the interface device 110 .
  • the policy table 210 includes a number of records, each of which is associated with a class of data flows, and contains information (“data flow characterization information”) that characterizes the class of data flows using a set of attributes, information (“conditions information”) that defines the conditions when one or more security and/or traffic management rules should be applied, and information (“class identifier”) that uniquely identifies the class of data flows.
  • packets arriving at the interface device 110 through the private interface 202 or the public interface 204 are first examined by a classification component 302 of an engine (“security engine” 304 ) implementing the security logic 206 to determine which data flow each incoming packet belongs to.
  • the classification component 302 applies a hash function to five attributes of an incoming packet, namely source address, source port, protocol, destination address, and destination port to generate a hash key.
  • the classification component 302 then performs a lookup operation of a connection table 306 to determine whether an entry matching the generated hash key is present in the connection table 306 .
  • the classification component 302 If a match is found, this indicates to the classification component 302 that the incoming packet is part of an existing data flow (also referred to as a “connection”).
  • the matched entry contains an admission control directive (e.g., “accept,” “deny,” or “drop), and a class identifier that uniquely identifies the class of data flows with which the existing connection is associated.
  • the classification component 302 applies the admission control directive to the incoming packet, and in those instances in which the accept admission control directive is applied, tags the incoming packet with the class identifier provided in the matched entry, prior to forwarding the tagged packet to an engine (“traffic management engine” 308 ) implementing the traffic management logic.
  • the classification component 302 sequentially searches the records of the policy table 210 to locate a record containing data flow characterization information that matches the five attributes of the incoming packet. Once the record is located, the classification component 302 generates a new entry for that specific connection in the connection table 306 .
  • the new entry is addressable by the hash key and contains the conditions information and class identifier provided in the located record.
  • the classification component 302 optionally directs the packet to a network address translation (NAT) component 310 for additional processing.
  • the NAT component 310 translates private IP addresses and port numbers within the private network 102 into public IP addresses and port numbers when the communication passes between the private and public networks.
  • the NAT component 310 enables IP addresses and port numbers in the private network 102 to be concealed from the public network 104 using techniques commonly known in the art. For example, source information in the headers of packets received from the private network 102 and destined for the public network 104 can be changed to reflect the IP address and port number of the interface device 110 .
  • the NAT component 310 maintains a binding table that links private IP addresses and port numbers with public IP addresses and port numbers. When a reply returns to the interface device 110 , the NAT component 310 uses the bindings in the binding table to determine where on the private network 102 to forward the reply.
  • the NAT component 310 places constraints on the deployment of services that carry IP addresses (or address derivatives) in the data stream, and operates on the assumption that each session is independent. However, there are services with higher-layer protocols (such as FTP, H.323, SIP, and MGCP) that use control packets to set the characteristics of the follow-on packet streams in their control packet payload. Services like these assume end-to-end integrity of addresses and will generally fail when traversing the NAT component 310 . To address this issue, the interface device 110 can be implemented with an application level gateway (ALG) component 312 that exists within or alongside the NAT component 310 (as shown in the illustrated example of FIG. 3 ) to update any payload data made invalid by the NAT component 310 .
  • ASG application level gateway
  • each protocol that may embed an IP address within a data stream requires a separate protocol-specific ALG component 312 .
  • each protocol-specific ALG component 312 also negotiates with the NAT component 310 to reserve any specific port or port ranges necessary to support the protocol for the duration of a session.
  • These reserved port or port ranges are dynamically opened and closed during a session to enable the packets of the follow-on packet streams (e.g., media streams of a SIP call) to pass through the interface device 110 .
  • These pinholes are permanently closed at the termination of the session to avoid possible attacks or unwanted intrusions on the internal network.
  • an admission control component 314 of the interface device 110 issues an admission control directive for the packet based on the conditions information specified for the class of data flows with which the packet is associated.
  • the admission control component is implemented to issue an “accept” directive only if the additional connection (of which the packet is associated) and existing connections of the class consume a total bandwidth that is less than the maximum bandwidth for the class, otherwise the admission control component issues a “drop” directive in which the packet is silently dropped or a “deny” directive in which a message is returned to the node that originated the packet.
  • connection table entry corresponding to the connection with which the packet is associated is then augmented to include the issued directive. If an “accept” directive has been issued for a packet, the security engine 304 tags the packet with the class identifier provided in the packet's connection table entry, and forwards the tagged packet to the traffic management engine 306 for placement into one of a number of outbound queues 316 based on its class identifier.
  • the traffic management engine 306 includes a queuing engine 318 , a rate shaper component 320 , a maximum segment size (MSS) component 322 , and a type of service (TOS) component 324 for managing outbound traffic in accordance with the policy so as to avoid congestion, packet loss, and application performance degradation.
  • Many transport-layer protocols include end-to-end acknowledgments.
  • an acknowledgement includes a field that indicates to a sender the amount of data (a “window size”) that it may send without acknowledgment. This field is typically used for window-based flow control. As packets of a connection pass from a source node to a destination node, acknowledgement packets are passed through the rate shaper component 320 .
  • the rate shaper component 320 modifies the acknowledgement packets to control the rate at which packet is sent for those connections, thereby controlling the depth of the outbound queues for those connections. This mechanism is particularly useful for TCP-based connections.
  • the window size may be too large and then converge slowly to a smaller value based on feedback from the destination.
  • the rate shaper component 320 uses the rate shaper component 320 to set smaller thereby not having to rely on feedback from the destination to reduce the window size.
  • the maximum segment size component 322 can be used to modify the maximum requested segment size for packets in a connection.
  • the TOS component 324 examines a TOS bit of each packet to determine a precedence for the packet. Preferential service can be provided to higher priority packets. For example, packets that are part of an interactive application may have a TOS bit associated with a higher priority than packets that are part of a bulk file transfer between sites.
  • FIG. 4 shows a backend system 400 for use in configuring the interface device 110 .
  • the system 400 includes management logic 402 , coordination logic 404 , and a configuration database 406 .
  • the management logic 402 implements a graphical user interface (GUI) through which a user, such as an administrator of the interface device 110 , can specify and/or modify a policy for the interface device 110 .
  • GUI graphical user interface
  • the user When the user launches the GUI, the user is presented with a network map screen 500 , illustrated in FIG. 5 .
  • the user can add a new security rule or a new traffic management rule to the policy for the interface device 110 by clicking on the appropriate icon (e.g., security icon 502 or traffic management icon 504 ) displayed on the sidebar on the left-hand side of the network map screen.
  • the appropriate icon e.g., security icon 502 or traffic management icon 504
  • This action brings up a security settings screen 600 , illustrated in FIGS. 6 a - 6 e, that allows the user to enter various pieces of information to enable a new security rule to be defined.
  • the information includes attributes of IP address matching parameters 602 , operation parameters 604 , and service parameters 606 .
  • IP addresses To apply the security rule, a match has to be made between IP addresses.
  • the user can define a coupling of source and destination traffic by specifying “Source IP address” and “Destination IP address” attributes.
  • the user can specify an action to be taken using the operation parameters.
  • the action is one of “drop” (i.e., deny access to packets that match the source and destination IP address), “reject” (i.e., deny access to packets that match the source and destination IP address and send a response to the node(s) originating the packet(s)), and “accept” (i.e., allow access to packets that match the source and destination IP address).
  • FIGS. 6 a - 6 e shows a list of services that are generally categorized by type.
  • “Basic Web Utilities” service type the user can select the checkboxes alongside the following: FTP—File Transfer, HTTP—Web Server, IMAP—Messaging Server, NNTP—News Server, SNMP—Simple Network Management Protocol, and TELNET—Remote Connection.
  • the checkboxes alongside the following: SIP, Net2Phone, H.323 Call Signaling, and MGCP.
  • the “Gaming” service type the user can select Delta Force, Quake III, and Warbirds 2.
  • the user can also select a traffic management class to which the security rule is to be linked.
  • a traffic management class to which the security rule is to be linked. Referring to the “Assign filter to class” portion 608 of the security settings screen of FIG. 6 a , if no traffic management classes have been defined, only a “Default” traffic management class is provided for selection.
  • This “Default” traffic management class generally corresponds to a standard class of service in which no special processing is performed by the traffic management engine other than limiting the total bandwidth of all packets used by all services in the standard class of service to be within the bandwidth of the connection. If traffic management classes have been defined (as shown in FIG.
  • the user can link the security rule to a specific class by choosing one of the traffic management classes provided in a drop down menu in the “Assign filter to class” portion of the security settings screen. If none of the existing traffic management classes provided in the drop down menu are satisfactory, the user can define a new traffic management class by clicking on the traffic management icon on the left-hand side of the network map screen. This action brings up a traffic management settings screen 700 , illustrated in FIG. 7 , that allows the user to enter various pieces of information to customize a traffic management rule.
  • the information includes the total amount of bandwidth that is guaranteed to this class of data flows, whether rate shaping applies to this class of data flows, burst bandwidth, priority, type of service, to name a few.
  • the user can identify a number of calls to be simultaneously permitted per codec for the premium class of service associated with the voice service.
  • the coordination logic 404 of the backend system 400 stores the attributes of the newly-defined traffic management rule in the configuration database, and returns the user to the previously-displayed security settings screen. From this screen, the user can select the newly-defined traffic management class from the drop down menu of the “Assign filter to class” portion of the security settings screen.
  • the coordination logic 404 of the backend system 400 stores the attributes of the security rule in the configuration database 406 and automatically creates and stores the linking information between the security rule and the traffic management class.
  • the management logic 402 has access to information that categorizes services by class.
  • services such as SIP, Net2Phone, and H.323 are recognized as being voice services that are sensitive to both delay and delay variations, and data flows associated with SIP, Net2Phone, and H.323 are placed into a premium class of data flows.
  • Services such as Citrix, PPTP, and TELNET are recognized as being time-sensitive data services, and data flows associated with Citrix, PPTP, and TELNET are placed into a critical class of data flows.
  • Services such as HTTP, FTP, and SNMP are recognized as being non-time-critical data services, and data flows associated with HTTP, FTP, and SNMP are placed into a standard class of data flows.
  • Each of these classes of data flows i.e., premium, critical, and standard
  • the management logic 402 identifies the classes of data flows associated with the services selected by the user in the security settings screen, and generates class-based traffic management rules based on the respective defaults. For example, if the user selects SIP and Citrix as being the services to which the security rule is applied, the management logic automatically generates two traffic management rules: (1) a traffic management rule for the premium class of data flows based on the user selection of SIP; and (2) a traffic management rule for the critical class of data flows based on the user selection of Citrix.
  • the coordination logic of the backend system stores the attributes of the security rule in the configuration database and automatically creates and stores the linking information between the security rule and the traffic management class(es).
  • the description above is directed to the generation of one or more traffic management rules based on information provided by the user with respect to a security rule
  • the techniques are also applicable to the scenario in which the user enters sufficient information to define a new traffic management rule, and one or more security rules corresponding to the new traffic management rule are generated by selecting either a new inbound filter 706 or a new outbound filter 708 .
  • the user can select an “Apply” button 702 , illustratively depicted at the bottom of the traffic management settings screen 700 in FIG. 7 .
  • This action causes the coordination logic 404 to send respective notification signals to the security engine 304 and the traffic management engine 306 indicating that the configuration database has been updated.
  • the security engine 304 responds to the notification signal by retrieving the attributes associated with the security rules from the configuration database 406 , loads the retrieved attributes, and restarts itself.
  • the traffic management engine 306 responds to the notification signal by retrieving the attributes associated with the traffic management rules from the configuration database, and loads the retrieved attributes, and restarts itself.
  • the techniques described herein can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them.
  • the techniques can be implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers.
  • a computer program can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
  • a computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
  • Method steps of the techniques described herein can be performed by one or more programmable processors executing a computer program to perform functions of the invention by operating on input data and generating output. Method steps can also be performed by, and apparatus of the invention can be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit). Modules can refer to portions of the computer program and/or the processor/special circuitry that implements that functionality.
  • FPGA field programmable gate array
  • ASIC application-specific integrated circuit
  • processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer.
  • a processor will receive instructions and data from a read-only memory or a random access memory or both.
  • the essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data.
  • a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks.
  • Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
  • semiconductor memory devices e.g., EPROM, EEPROM, and flash memory devices
  • magnetic disks e.g., internal hard disks or removable disks
  • magneto-optical disks e.g., CD-ROM and DVD-ROM disks.
  • the processor and the memory can be supplemented by, or incorporated in special purpose logic circuitry.
  • the techniques described herein can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer (e.g., interact with a user interface element, for example, by clicking a button on such a pointing device).
  • a display device e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor
  • a keyboard and a pointing device e.g., a mouse or a trackball
  • feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
  • the techniques described herein can be implemented in a distributed computing system that includes a back-end component, e.g., as a data server, and/or a middleware component, e.g., an application server, and/or a front-end component, e.g., a client computer having a graphical user interface and/or a Web browser through which a user can interact with an implementation of the invention, or any combination of such back-end, middleware, or front-end components.
  • the components of the system can be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (“LAN”) and a wide area network (“WAN”), e.g., the Internet, and include both wired and wireless networks.
  • LAN local area network
  • WAN wide area network
  • the computing system can include clients and servers.
  • a client and server are generally remote from each other and typically interact over a communication network.
  • the relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

There are methods and apparatus, including computer program products, for defining a policy including a set of rules for a packet forwarding device by receiving information sufficient to enable a first rule related to one of security or traffic management to be defined, and based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined.

Description

    BACKGROUND
  • This description relates to a network interface device integrating security and traffic management functions.
  • Two critical concerns of Internet Protocol (IP) networks are security and traffic management. To secure an IP network, for example, a local area network, a device such as a firewall can be deployed at the boundary between the local area network and a wide area network (e.g., the Internet) to prevent unauthorized access from sources external to the network. Firewalls serve as a point of network access where incoming traffic from remote sources and outgoing traffic to the Internet can be analyzed and controlled.
  • Due to the development of new services, IP networks today carry multiple types of traffic, such as voice, video, email, and web traffic to name a few. The convergence of multiple types of traffic requires adequate traffic management to ensure that the quality of service (QoS) requirements of each of these services can be met. Maintaining the requisite level of quality of service generates specific constraints as services have different characteristics. For example, voice services are sensitive to both delay and delay variations as distortions of the voice may drastically impact the quality and/or interactivity of the communication, but are generally tolerant to some loss. Video services, on the other hand, are insensitive to delay as compared to voice services, but may be more sensitive to delay variations and loss. Data services in general are largely immune to delay and delay variations, but are sensitive to loss. Uncontrolled traffic in data services have the tendency to consume the entire available pipe simply by the nature of the transport protocol used to transfer the data.
  • Security and traffic management functions are typically implemented by two separate network devices or two separate logical components of a single physical package that are coupled in series and configured independently of each other by different personnel. Miscommunication between the personnel can lead to conflict during operation of the security and traffic management functions. Further, as the two functions behave independently of each other, packet classification is performed twice (once by each function), which adds to processor load and increases latency.
  • SUMMARY
  • In one aspect, implementations of the invention feature a method for defining a policy including a set of rules for a packet forwarding device. The method includes receiving information sufficient to enable a first rule related to one of security or traffic management to be defined, and based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined.
  • In another aspect, implementations of the invention feature an apparatus that includes management logic and coordination logic. The management logic is configured to receive information sufficient to enable a first rule related to one of security or traffic management to be defined, enable a corresponding second rule related to the other one of security or traffic management to be defined based on the received information, and store attributes of the first rule and attributes of the second rule in a configuration database. The coordination logic is configured to send a first signal to a first engine of a packet forwarding device to notify the first engine of the newly-stored attributes of the first rule, and send a second signal to a second engine of the packet forwarding device to notify the second engine of the newly-stored attributes of the second rule.
  • In another aspect, implementations of the invention feature a network device that includes a first network interface and a second network interface, each of the network interfaces being capable of bi-directional communication; a policy including a set of rules for the device, the set of rules including security rules and traffic management rules; a security engine to filter packets received at the first network interface of the device, the security engine comprising logic to classify each of the packets received at the first network interface, and logic to process the classified packets in accordance with one or more of the security rules to identify accepted packets; and a quality of service engine to schedule the accepted packets for transmission through the second network interface of the device, the quality of service engine comprising logic to queue the accepted packets for transmission based on the classifying performed by the security engine, and logic to process each of the accepted packets queued for transmission in accordance with one or more of the traffic management rules.
  • Implementations of the invention may include one or more of the following advantages.
  • By enabling the security and traffic management functions to be configured in relation to each other, conflict between the functions is reduced significantly (eliminated) during operation. As the functions logically behave as a tightly integrated unit, packet classification need only be performed once, which minimizes latency and reduces the load on the processor. Deployment of a single physical package is cost effective in terms of installation and maintenance. Another advantage of this invention is that the dynamically negotiated ports can be identified by the classification engine and dynamically used to open pinholes in the firewall while simultaneously identifying the parent and child flows to be processed by the traffic management engine.
  • The details of one or more examples are set forth in the accompanying drawings and the description below. Further features, aspects, and advantages of the invention will become apparent from the description, the drawings, and the claims.
  • DESCRIPTION OF DRAWINGS
  • FIG. 1. shows a communication system.
  • FIGS. 2 and 3 each show a block diagram of an interface device.
  • FIG. 4 shows a backend system for use in configuring an interface device.
  • FIGS. 5, 6 a-6 e, and 7 each show a screen shot of a graphical user interface for use in configuring an interface device.
  • DETAILED DESCRIPTION
  • FIG. 1 shows a communication system 100 in which an interface device 110 supporting voice, video, and data services is deployed at an intersection of a private network 102 and a public network 104. The private network 102 can include one or more networks, such as a local area network (LAN) and a wireless local area network (WLAN). Each of the LAN and the WLAN includes nodes that are connected using wired, wireless, or optical connections. In the illustrated example, the nodes are personal computers 112, laptops 114, Voice over IP (VoIP)-enabled devices 116, and other devices 118 that are capable of transmitting/receiving voice, video, and/or data communications. The public network 104 can include one or more networks, such as the Internet, an intranet, another LAN, and/or a wide area network (WAN). The interface device 110 manages bi-directional traffic between the private network 102 and the public network 104. The bi-directional traffic can include packets of a variety of protocols, such as the Internet Protocol (IP), the Session Initiation Protocol (SIP), the User Datagram Protocol (UDP), the Transmission Control Protocol (TCP), the File Transfer Protocol (FTP), the Post Office Protocol 3 (POP3), the Simple Mail Transfer Protocol (SMTP), and the Real-time Transport Protocol (RTP), that carry a variety of application traffic.
  • Referring to FIG. 2, in one implementation, the interface device 110 includes a first interface (e.g., “private interface” 202) to the private network 102 and a second interface (e.g., “public interface” 204) to the public network 104. Although each of the interfaces 202, 204 is depicted as a discrete component of the interface device 110, each interface 204, 204 can be implemented as a single component that supports bi-directional communication or separate components (e.g., a transmit port and a receive port) each supporting uni-directional communication.
  • The interface device 110 also includes security logic 206 and traffic management logic 208 for handling packets passing between the private network 102 and the public network 104. Details of each of the security logic 206 and the traffic management logic 208 are described below with reference to FIG. 3. The interface device 110 also includes other logic not depicted in FIG. 2 to aid in the reception, processing, and transmission of packets between the private network and the public network. Such logic can include packet routing logic, SIP-based call processing logic, VPN, Frame relay and ATM stacks, various device drivers etc., to name a few. The logic included in the interface device 110 can be implemented as hardware (e.g., an application specific integrated circuit or a field programmable gate array), software, or a combination of both.
  • The interface device 110 further includes a policy table 210 that specifies how different classes of data flows are to be processed in accordance with a policy set in the interface device 110. The policy table 210 includes a number of records, each of which is associated with a class of data flows, and contains information (“data flow characterization information”) that characterizes the class of data flows using a set of attributes, information (“conditions information”) that defines the conditions when one or more security and/or traffic management rules should be applied, and information (“class identifier”) that uniquely identifies the class of data flows.
  • Referring to FIG. 3, packets arriving at the interface device 110 through the private interface 202 or the public interface 204 are first examined by a classification component 302 of an engine (“security engine” 304) implementing the security logic 206 to determine which data flow each incoming packet belongs to. In one example, the classification component 302 applies a hash function to five attributes of an incoming packet, namely source address, source port, protocol, destination address, and destination port to generate a hash key. The classification component 302 then performs a lookup operation of a connection table 306 to determine whether an entry matching the generated hash key is present in the connection table 306.
  • If a match is found, this indicates to the classification component 302 that the incoming packet is part of an existing data flow (also referred to as a “connection”). Generally, the matched entry contains an admission control directive (e.g., “accept,” “deny,” or “drop), and a class identifier that uniquely identifies the class of data flows with which the existing connection is associated. The classification component 302 applies the admission control directive to the incoming packet, and in those instances in which the accept admission control directive is applied, tags the incoming packet with the class identifier provided in the matched entry, prior to forwarding the tagged packet to an engine (“traffic management engine” 308) implementing the traffic management logic.
  • If no match is found, this indicates to the classification component 302 that the incoming packet is the first packet of a new connection. The classification component 302 sequentially searches the records of the policy table 210 to locate a record containing data flow characterization information that matches the five attributes of the incoming packet. Once the record is located, the classification component 302 generates a new entry for that specific connection in the connection table 306. The new entry is addressable by the hash key and contains the conditions information and class identifier provided in the located record.
  • The classification component 302 optionally directs the packet to a network address translation (NAT) component 310 for additional processing. The NAT component 310 translates private IP addresses and port numbers within the private network 102 into public IP addresses and port numbers when the communication passes between the private and public networks. The NAT component 310 enables IP addresses and port numbers in the private network 102 to be concealed from the public network 104 using techniques commonly known in the art. For example, source information in the headers of packets received from the private network 102 and destined for the public network 104 can be changed to reflect the IP address and port number of the interface device 110. The NAT component 310 maintains a binding table that links private IP addresses and port numbers with public IP addresses and port numbers. When a reply returns to the interface device 110, the NAT component 310 uses the bindings in the binding table to determine where on the private network 102 to forward the reply.
  • The NAT component 310 places constraints on the deployment of services that carry IP addresses (or address derivatives) in the data stream, and operates on the assumption that each session is independent. However, there are services with higher-layer protocols (such as FTP, H.323, SIP, and MGCP) that use control packets to set the characteristics of the follow-on packet streams in their control packet payload. Services like these assume end-to-end integrity of addresses and will generally fail when traversing the NAT component 310. To address this issue, the interface device 110 can be implemented with an application level gateway (ALG) component 312 that exists within or alongside the NAT component 310 (as shown in the illustrated example of FIG. 3) to update any payload data made invalid by the NAT component 310. As an ALG component 312 needs to understand the higher-layer protocol being fixed, each protocol that may embed an IP address within a data stream requires a separate protocol-specific ALG component 312. In addition to updating the payload data, each protocol-specific ALG component 312 also negotiates with the NAT component 310 to reserve any specific port or port ranges necessary to support the protocol for the duration of a session. These reserved port or port ranges, commonly referred to as “pinholes,” are dynamically opened and closed during a session to enable the packets of the follow-on packet streams (e.g., media streams of a SIP call) to pass through the interface device 110. These pinholes are permanently closed at the termination of the session to avoid possible attacks or unwanted intrusions on the internal network.
  • Once the packet has been processed by the NAT component 310 (and if necessary, a protocol-specific ALG component 312), an admission control component 314 of the interface device 110 issues an admission control directive for the packet based on the conditions information specified for the class of data flows with which the packet is associated. In one example, the admission control component is implemented to issue an “accept” directive only if the additional connection (of which the packet is associated) and existing connections of the class consume a total bandwidth that is less than the maximum bandwidth for the class, otherwise the admission control component issues a “drop” directive in which the packet is silently dropped or a “deny” directive in which a message is returned to the node that originated the packet.
  • The connection table entry corresponding to the connection with which the packet is associated is then augmented to include the issued directive. If an “accept” directive has been issued for a packet, the security engine 304 tags the packet with the class identifier provided in the packet's connection table entry, and forwards the tagged packet to the traffic management engine 306 for placement into one of a number of outbound queues 316 based on its class identifier.
  • In one implementation, the traffic management engine 306 includes a queuing engine 318, a rate shaper component 320, a maximum segment size (MSS) component 322, and a type of service (TOS) component 324 for managing outbound traffic in accordance with the policy so as to avoid congestion, packet loss, and application performance degradation. Many transport-layer protocols include end-to-end acknowledgments. In TCP, an acknowledgement includes a field that indicates to a sender the amount of data (a “window size”) that it may send without acknowledgment. This field is typically used for window-based flow control. As packets of a connection pass from a source node to a destination node, acknowledgement packets are passed through the rate shaper component 320. For TCP-based flows, the rate shaper component 320 modifies the acknowledgement packets to control the rate at which packet is sent for those connections, thereby controlling the depth of the outbound queues for those connections. This mechanism is particularly useful for TCP-based connections. In TCP, when a connection is initially established, the window size may be too large and then converge slowly to a smaller value based on feedback from the destination. Using the rate shaper component 320, the initial window size can be set smaller thereby not having to rely on feedback from the destination to reduce the window size. The maximum segment size component 322 can be used to modify the maximum requested segment size for packets in a connection. This mechanism is used to cause a source of a relatively low priority connection to use smaller packets so that a higher priority connection does not suffer long latency when it gets queued behind a long low-priority packet. The TOS component 324 examines a TOS bit of each packet to determine a precedence for the packet. Preferential service can be provided to higher priority packets. For example, packets that are part of an interactive application may have a TOS bit associated with a higher priority than packets that are part of a bulk file transfer between sites.
  • FIG. 4 shows a backend system 400 for use in configuring the interface device 110. The system 400 includes management logic 402, coordination logic 404, and a configuration database 406. The management logic 402 implements a graphical user interface (GUI) through which a user, such as an administrator of the interface device 110, can specify and/or modify a policy for the interface device 110.
  • When the user launches the GUI, the user is presented with a network map screen 500, illustrated in FIG. 5. From the network map screen 500, the user can add a new security rule or a new traffic management rule to the policy for the interface device 110 by clicking on the appropriate icon (e.g., security icon 502 or traffic management icon 504) displayed on the sidebar on the left-hand side of the network map screen. Suppose, for example, that the user clicks on the security icon 502. This action brings up a security settings screen 600, illustrated in FIGS. 6 a-6 e, that allows the user to enter various pieces of information to enable a new security rule to be defined. The information includes attributes of IP address matching parameters 602, operation parameters 604, and service parameters 606.
  • To apply the security rule, a match has to be made between IP addresses. The user can define a coupling of source and destination traffic by specifying “Source IP address” and “Destination IP address” attributes.
  • For those packets that match the source and destination IP address attributes of the IP address matching parameters, the user can specify an action to be taken using the operation parameters. In one example, the action is one of “drop” (i.e., deny access to packets that match the source and destination IP address), “reject” (i.e., deny access to packets that match the source and destination IP address and send a response to the node(s) originating the packet(s)), and “accept” (i.e., allow access to packets that match the source and destination IP address).
  • The user can also select one or more services to which this security rule is to be applied. FIGS. 6 a-6 e shows a list of services that are generally categorized by type. For example, under the “Basic Web Utilities” service type, the user can select the checkboxes alongside the following: FTP—File Transfer, HTTP—Web Server, IMAP—Messaging Server, NNTP—News Server, SNMP—Simple Network Management Protocol, and TELNET—Remote Connection. Under the “Chat and VoIP Applications” service type, the user can select the checkboxes alongside the following: SIP, Net2Phone, H.323 Call Signaling, and MGCP. Under the “Gaming” service type, the user can select Delta Force, Quake III, and Warbirds 2.
  • In one implementation, the user can also select a traffic management class to which the security rule is to be linked. Referring to the “Assign filter to class” portion 608 of the security settings screen of FIG. 6 a, if no traffic management classes have been defined, only a “Default” traffic management class is provided for selection. This “Default” traffic management class generally corresponds to a standard class of service in which no special processing is performed by the traffic management engine other than limiting the total bandwidth of all packets used by all services in the standard class of service to be within the bandwidth of the connection. If traffic management classes have been defined (as shown in FIG. 6a), the user can link the security rule to a specific class by choosing one of the traffic management classes provided in a drop down menu in the “Assign filter to class” portion of the security settings screen. If none of the existing traffic management classes provided in the drop down menu are satisfactory, the user can define a new traffic management class by clicking on the traffic management icon on the left-hand side of the network map screen. This action brings up a traffic management settings screen 700, illustrated in FIG. 7, that allows the user to enter various pieces of information to customize a traffic management rule. The information includes the total amount of bandwidth that is guaranteed to this class of data flows, whether rate shaping applies to this class of data flows, burst bandwidth, priority, type of service, to name a few. In the case of a voice service, the user can identify a number of calls to be simultaneously permitted per codec for the premium class of service associated with the voice service. Once the user clicks on the “OK” button 702 on the bottom of the traffic management settings screen 700, the coordination logic 404 of the backend system 400 stores the attributes of the newly-defined traffic management rule in the configuration database, and returns the user to the previously-displayed security settings screen. From this screen, the user can select the newly-defined traffic management class from the drop down menu of the “Assign filter to class” portion of the security settings screen.
  • Once the user clicks on the “OK” button 610 at the bottom of the security settings screen 600, the coordination logic 404 of the backend system 400 stores the attributes of the security rule in the configuration database 406 and automatically creates and stores the linking information between the security rule and the traffic management class.
  • In another implementation, the management logic 402 has access to information that categorizes services by class. For example, services such as SIP, Net2Phone, and H.323 are recognized as being voice services that are sensitive to both delay and delay variations, and data flows associated with SIP, Net2Phone, and H.323 are placed into a premium class of data flows. Services such as Citrix, PPTP, and TELNET are recognized as being time-sensitive data services, and data flows associated with Citrix, PPTP, and TELNET are placed into a critical class of data flows. Services such as HTTP, FTP, and SNMP are recognized as being non-time-critical data services, and data flows associated with HTTP, FTP, and SNMP are placed into a standard class of data flows. Each of these classes of data flows (i.e., premium, critical, and standard) has a default traffic management rule.
  • When the user clicks on the “OK” button 610 on the bottom of the security settings screen 600, the management logic 402 identifies the classes of data flows associated with the services selected by the user in the security settings screen, and generates class-based traffic management rules based on the respective defaults. For example, if the user selects SIP and Citrix as being the services to which the security rule is applied, the management logic automatically generates two traffic management rules: (1) a traffic management rule for the premium class of data flows based on the user selection of SIP; and (2) a traffic management rule for the critical class of data flows based on the user selection of Citrix. The coordination logic of the backend system stores the attributes of the security rule in the configuration database and automatically creates and stores the linking information between the security rule and the traffic management class(es).
  • Although the description above is directed to the generation of one or more traffic management rules based on information provided by the user with respect to a security rule, the techniques are also applicable to the scenario in which the user enters sufficient information to define a new traffic management rule, and one or more security rules corresponding to the new traffic management rule are generated by selecting either a new inbound filter 706 or a new outbound filter 708.
  • Once the user is satisfied with the number of security and traffic management rules that have been added to the policy of the interface device 110, the user can select an “Apply” button 702, illustratively depicted at the bottom of the traffic management settings screen 700 in FIG. 7. This action causes the coordination logic 404 to send respective notification signals to the security engine 304 and the traffic management engine 306 indicating that the configuration database has been updated. The security engine 304 responds to the notification signal by retrieving the attributes associated with the security rules from the configuration database 406, loads the retrieved attributes, and restarts itself. Likewise, the traffic management engine 306 responds to the notification signal by retrieving the attributes associated with the traffic management rules from the configuration database, and loads the retrieved attributes, and restarts itself. Once the security engine 304 and the traffic management engine 308 have been restarted, the interface device 110 is ready to accept and process packets in accordance with the updated policy.
  • The techniques described herein can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. The techniques can be implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
  • Method steps of the techniques described herein can be performed by one or more programmable processors executing a computer program to perform functions of the invention by operating on input data and generating output. Method steps can also be performed by, and apparatus of the invention can be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit). Modules can refer to portions of the computer program and/or the processor/special circuitry that implements that functionality.
  • Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in special purpose logic circuitry.
  • To provide for interaction with a user, the techniques described herein can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer (e.g., interact with a user interface element, for example, by clicking a button on such a pointing device). Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
  • The techniques described herein can be implemented in a distributed computing system that includes a back-end component, e.g., as a data server, and/or a middleware component, e.g., an application server, and/or a front-end component, e.g., a client computer having a graphical user interface and/or a Web browser through which a user can interact with an implementation of the invention, or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (“LAN”) and a wide area network (“WAN”), e.g., the Internet, and include both wired and wireless networks.
  • The computing system can include clients and servers. A client and server are generally remote from each other and typically interact over a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
  • Other embodiments are within the scope of the following claims. The following are examples for illustration only and not to limit the alternatives in any way. The techniques described herein can be performed in a different order and still achieve desirable results.

Claims (27)

1. A method for defining a policy including a set of rules for a packet forwarding device, the method comprising:
receiving information sufficient to enable a first rule related to one of security or traffic management to be defined; and
based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined.
2. The method of claim 1, wherein the second rule is defined without requiring any further information to be received.
3. The method of claim 1, wherein the information sufficient to enable the first rule to be defined is received from a user, and the second rule is automatically defined without requiring any further input from the user.
4. The method of claim 1, wherein the packet forwarding device is capable of processing data packets received from a local area network and bound for a wide area network in accordance with the defined policy.
5. The method of claim 1, wherein the packet forwarding device is capable of processing data packets received from a wide area network and bound for a local area network in accordance with the defined policy.
6. The method of claim 1, wherein receiving information sufficient to enable a first rule related to security or traffic management to be defined comprises:
receiving first information identifying a service; and
receiving second information defining a set of actions to govern data traffic associated with the identified service.
7. The method of claim 6, wherein the second information comprises one or more of the following: information related to attributes of IP address matching, information related to operation parameters, and information related to service parameters.
8. The method of claim 1, wherein receiving information sufficient to enable a first rule related to security or traffic management to be defined comprises:
receiving first information identifying a total amount of available bandwidth for a network link;
receiving second information identifying a class of service; and
determining a percentage of the total amount of available bandwidth to be guaranteed to the identified class of service.
9. The method of claim 1, further comprising:
accessing pre-stored information associating each of a set of services with a class of service and associating each of a set of classes of service with one or more services, wherein:
the set of services comprises one or more of the following: a voice service, a video service, and a data service; and
the set of classes of service comprises one or more of the following: a premium class of service, a critical class of service, and a standard class of service.
10. The method of claim 9, wherein automatically enabling a corresponding second rule related to the other one of security or traffic management to be defined comprises:
examining the received information to identify a service the first rule related to one of security or traffic management is to be applied; and
enabling a second rule related to the other one or security or traffic management to be defined based on the class of service associated with the identified service.
11. The method of claim 10, wherein when the service is identified as a voice service, the enabling comprises:
identifying a number of calls to be simultaneously permitted per codec for the premium class of service associated with the voice service.
12. The method of claim 9, wherein automatically enabling a corresponding second rule related to the other one of security or traffic management to be defined comprises:
examining the received information to identify a class of service the first rule related to one of security or traffic management is to be applied; and
enabling a second rule related to the other one or security or traffic management to be defined based on the one or more services associated with the identified class of service.
13. An apparatus comprising:
management logic to:
receive information sufficient to enable a first rule related to one of security or traffic management to be defined,
enable a corresponding second rule related to the other one of security or traffic management to be defined based on the received information, and
store attributes of the first rule and attributes of the second rule in a configuration database; and
coordination logic to:
send a first signal to a first engine of a packet forwarding device to notify the first engine of the newly-stored attributes of the first rule, and
send a second signal to a second engine of the packet forwarding device to notify the second engine of the newly-stored attributes of the second rule.
14. The apparatus of claim 13, wherein the information sufficient to enable the first rule related to one of security or traffic management to be defined is provided by a user using a graphical user interface.
15. The apparatus of claim 14, wherein the second rule related to the other one of security or traffic management is automatically defined without requiring any further input to be received from the user.
16. The apparatus of claim 13, wherein the second rule related to the other one of security or traffic management is defined without requiring any further information to be received by the management logic.
17. The apparatus of claim 13, wherein:
the first rule is related to security and the first engine is a security engine; and
the second rule is related to traffic management and the second engine is a quality of service engine.
18. The apparatus of claim 13, wherein:
the first rule is related to traffic management and the first engine is a quality of service engine; and
the second rule is related to security and the second engine is a security engine.
19. The apparatus of claim 13, wherein the coordination logic is to configure a first engine and a second engine of a packet forwarding device that is capable of processing data packets passing between a local area network and a wide area network.
20. A network device comprising:
a first network interface and a second network interface, each of the network interfaces being capable of bidirectional communication;
a policy including a set of rules for the device, the set of rules including security rules and traffic management rules;
a security engine to filter packets received at the first network interface of the device, the security engine comprising logic to classify each of the packets received at the first network interface, and logic to process the classified packets in accordance with one or more of the security rules to identify accepted packets; and
a quality of service engine to schedule the accepted packets for transmission through the second network interface of the device, the quality of service engine comprising logic to queue the accepted packets for transmission based on the classifying performed by the security engine, and logic to process each of the accepted packets queued for transmission in accordance with one or more of the traffic management rules.
21. The device of claim 20, wherein for each packet received at the network interface, the security engine comprises logic to identify a data flow associated with the packet.
22. The device of claim 21, wherein the logic to identify the data flow associated with the packet comprises logic to examine network layer addressing data in the packet.
23. The device of claim 22, wherein the logic to examine the network layer addressing data comprises logic to identify destination network layer addresses of the packet.
24. The device of claim 21, wherein the logic to identify the data flow associated with the packet comprises logic to examine application layer data in the packet.
25. The device of claim 20, wherein the logic to classify a packet received at the first network interface comprises logic to:
examine the packet to identify a service associated with the packet;
determine which one of the security rules is to be applied to the packet based on its identified service; and
classify the packet in accordance with the security rule to be applied.
26. The device of claim 20, wherein the logic to process the classified packets in accordance with one or more of the security rules to identify accepted packets comprises logic to perform functionality of one or more of the following: network address translation, application layer gateway, and admission control.
27. The device of claim 20, wherein the logic to process each of the accepted packets queued for transmission in accordance with one or more of the traffic management rules comprises logic to perform one or more of the following: rate shaping packet processing, maximum segment size packet processing, and type of service packet processing.
US11/367,765 2006-03-03 2006-03-03 Integrated data flow packet admission and traffic management apparatus Active 2027-12-30 US7970899B2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US11/367,765 US7970899B2 (en) 2006-03-03 2006-03-03 Integrated data flow packet admission and traffic management apparatus
US12/360,520 US20100031323A1 (en) 2006-03-03 2009-01-27 Network Interface Device
US12/551,169 US7987267B2 (en) 2006-03-03 2009-08-31 Apparatus for defining a set of rules for a packet forwarding device
US12/551,147 US8069244B2 (en) 2006-03-03 2009-08-31 Method for defining a set of rules for a packet forwarding device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/367,765 US7970899B2 (en) 2006-03-03 2006-03-03 Integrated data flow packet admission and traffic management apparatus

Related Child Applications (3)

Application Number Title Priority Date Filing Date
US12/360,520 Division US20100031323A1 (en) 2006-03-03 2009-01-27 Network Interface Device
US12/551,147 Division US8069244B2 (en) 2006-03-03 2009-08-31 Method for defining a set of rules for a packet forwarding device
US12/551,169 Division US7987267B2 (en) 2006-03-03 2009-08-31 Apparatus for defining a set of rules for a packet forwarding device

Publications (2)

Publication Number Publication Date
US20070208854A1 true US20070208854A1 (en) 2007-09-06
US7970899B2 US7970899B2 (en) 2011-06-28

Family

ID=38472668

Family Applications (4)

Application Number Title Priority Date Filing Date
US11/367,765 Active 2027-12-30 US7970899B2 (en) 2006-03-03 2006-03-03 Integrated data flow packet admission and traffic management apparatus
US12/360,520 Abandoned US20100031323A1 (en) 2006-03-03 2009-01-27 Network Interface Device
US12/551,147 Active 2026-06-09 US8069244B2 (en) 2006-03-03 2009-08-31 Method for defining a set of rules for a packet forwarding device
US12/551,169 Active US7987267B2 (en) 2006-03-03 2009-08-31 Apparatus for defining a set of rules for a packet forwarding device

Family Applications After (3)

Application Number Title Priority Date Filing Date
US12/360,520 Abandoned US20100031323A1 (en) 2006-03-03 2009-01-27 Network Interface Device
US12/551,147 Active 2026-06-09 US8069244B2 (en) 2006-03-03 2009-08-31 Method for defining a set of rules for a packet forwarding device
US12/551,169 Active US7987267B2 (en) 2006-03-03 2009-08-31 Apparatus for defining a set of rules for a packet forwarding device

Country Status (1)

Country Link
US (4) US7970899B2 (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070211644A1 (en) * 2006-03-07 2007-09-13 Ottamalika Iqlas M Graphical representation of the flow of a packet through a network device
US20080225742A1 (en) * 2006-10-27 2008-09-18 Kyu-Ho Cho Scheduling method and system for guaranteeing real-time service quality of WiBro CPE
US20080298392A1 (en) * 2007-06-01 2008-12-04 Mauricio Sanchez Packet processing
US7734784B1 (en) * 2006-09-22 2010-06-08 Juniper Networks, Inc. Dynamic service activation using COPS-PR to support outsourcing and configuration models for policy control
US20100146061A1 (en) * 2006-11-21 2010-06-10 Mattsson Sven Johan Evert John session process and system
US20130148500A1 (en) * 2011-04-18 2013-06-13 Kentaro Sonoda Terminal, control device, communication method, communication system, communication module, program, and information processing device
US20130159865A1 (en) * 2006-07-06 2013-06-20 John Kei Smith Method and System for Real-Time Visualization of Network Flow within Network Device
US20140226475A1 (en) * 2013-02-12 2014-08-14 Adara Networks, Inc. Controlling congestion controlled flows
US8838753B1 (en) * 2006-08-10 2014-09-16 Bivio Networks, Inc. Method for dynamically configuring network services
US9450915B1 (en) * 2014-01-02 2016-09-20 vIPtela Inc. Bi-directional NAT traversal using endpoint assigned discriminators
US20170094665A1 (en) * 2014-06-06 2017-03-30 Huawei Technologies Co., Ltd. Method and system for compensating for doubly selective channel and related apparatus
US20180375829A1 (en) * 2013-04-08 2018-12-27 Solarflare Communications, Inc. Locked down network interface
US10924483B2 (en) 2005-04-27 2021-02-16 Xilinx, Inc. Packet validation in virtual network interface architecture
US11165720B2 (en) 2017-12-19 2021-11-02 Xilinx, Inc. Network interface device
US11245623B2 (en) * 2019-12-26 2022-02-08 Samsung Electronics Co., Ltd. Method and apparatus for collecting data in network communication using concealed user address
US11394768B2 (en) 2017-12-19 2022-07-19 Xilinx, Inc. Network interface device
US11394664B2 (en) 2017-12-19 2022-07-19 Xilinx, Inc. Network interface device
WO2022206187A1 (en) * 2021-03-29 2022-10-06 华为技术有限公司 Packet traffic control method and apparatus, device, and computer-readable storage medium
US11489876B2 (en) 2015-03-17 2022-11-01 Xilinx, Inc. System and apparatus for providing network security

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101277175B (en) * 2007-03-30 2012-02-29 国际商业机器公司 Method and device for improving conversation starting protocol server performance
WO2009007985A2 (en) * 2007-07-06 2009-01-15 Elitecore Technologies Limited Identity and policy-based network security and management system and method
US7970916B2 (en) * 2007-07-25 2011-06-28 Cisco Technology, Inc. Register clustering in a sip-based network
US8503428B2 (en) * 2010-03-18 2013-08-06 Juniper Networks, Inc. Customized classification of host bound traffic
US8902743B2 (en) * 2010-06-28 2014-12-02 Microsoft Corporation Distributed and scalable network address translation
US8605589B2 (en) 2010-09-01 2013-12-10 Sonus Networks, Inc. Dynamic classification and grouping of network traffic for service application
US8352630B2 (en) 2010-09-01 2013-01-08 Sonus Networks, Inc. Dynamic classification and grouping of network traffic for service application across multiple nodes
WO2012052065A1 (en) * 2010-10-22 2012-04-26 Telefonaktiebolaget L M Ericsson (Publ) Differentiated handling of network traffic using network address translation
EP2500838A1 (en) 2011-03-16 2012-09-19 Samsung SDS Co. Ltd. SOC-based device for packet filtering and packet filtering method thereof
US8854972B1 (en) * 2013-01-25 2014-10-07 Palo Alto Networks, Inc. Security device implementing flow lookup scheme for improved performance
CN106304851A (en) 2015-04-23 2017-01-04 Lg电子株式会社 The device sending broadcast singal, the device receiving broadcast singal, the method sending broadcast singal and the method receiving broadcast singal
US10721259B2 (en) * 2016-03-31 2020-07-21 The Boeing Company System and method for automatic generation of filter rules
US10359993B2 (en) * 2017-01-20 2019-07-23 Essential Products, Inc. Contextual user interface based on environment
US10530696B2 (en) * 2017-06-12 2020-01-07 The Boeing Company Systems and methods for generating filtering rules
US11057415B1 (en) 2021-02-09 2021-07-06 Lookingglass Cyber Solutions, Inc. Systems and methods for dynamic zone protection of networks
US11924160B2 (en) * 2021-08-11 2024-03-05 Cisco Technology, Inc. Application awareness in a data network with network address translation

Citations (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5802106A (en) * 1996-12-06 1998-09-01 Packeteer, Inc. Method for rapid data rate detection in a packet communication environment without data rate supervision
US6018516A (en) * 1997-11-14 2000-01-25 Packeteer, Inc. Method for minimizing unneeded retransmission of packets in a packet communication environment supporting a plurality of data link rates
US6023456A (en) * 1996-12-23 2000-02-08 Nortel Networks Corporation Dynamic traffic conditioning
US6038216A (en) * 1996-11-01 2000-03-14 Packeteer, Inc. Method for explicit data rate control in a packet communication environment without data rate supervision
US6078953A (en) * 1997-12-29 2000-06-20 Ukiah Software, Inc. System and method for monitoring quality of service over network
US6285658B1 (en) * 1996-12-09 2001-09-04 Packeteer, Inc. System for managing flow bandwidth utilization at network, transport and application layers in store and forward network
US6345039B1 (en) * 1996-10-30 2002-02-05 Mitsubishi Denki Kabushiki Kaisha Device and method for controlling ATM traffic
US20020122394A1 (en) * 1995-06-01 2002-09-05 Padcom. Inc. Port routing functionality
US20020186661A1 (en) * 2001-05-04 2002-12-12 Terago Communications, Inc. System and method for hierarchical policing of flows and subflows of a data stream
US20020194369A1 (en) * 2001-03-20 2002-12-19 Worldcom, Inc. Policy-based synchronization of per-class resources between routers in a data network
US6594265B1 (en) * 1998-11-10 2003-07-15 International Business Machines Corporation Method and system in an asynchronous transfer mode (ATM) network for providing an available bit rate interface to a continuous bit rate virtual path connection with adjustable bandwidth
US6598034B1 (en) * 1999-09-21 2003-07-22 Infineon Technologies North America Corp. Rule based IP data processing
US6657991B1 (en) * 1998-12-21 2003-12-02 3Com Corporation Method and system for provisioning network addresses in a data-over-cable system
US6798743B1 (en) * 1999-03-22 2004-09-28 Cisco Technology, Inc. Packet prioritization processing technique for routing traffic in a packet-switched computer network
US20040190526A1 (en) * 2003-03-31 2004-09-30 Alok Kumar Method and apparatus for packet classification using a forest of hash tables data structure
US6816492B1 (en) * 2000-07-31 2004-11-09 Cisco Technology, Inc. Resequencing packets at output ports without errors using packet timestamps and timestamp floors
US6859438B2 (en) * 1998-02-03 2005-02-22 Extreme Networks, Inc. Policy based quality of service
US20060089988A1 (en) * 2004-10-22 2006-04-27 Davie Bruce S Mechanism for sharing resources among different senders and receivers
US7257834B1 (en) * 2002-10-31 2007-08-14 Sprint Communications Company L.P. Security framework data scheme
US7389377B2 (en) * 2005-06-22 2008-06-17 Netlogic Microsystems, Inc. Access control list processor
US7433304B1 (en) * 2002-09-06 2008-10-07 Packeteer, Inc. Classification data structure enabling multi-dimensional network traffic classification and control schemes
US7626944B1 (en) * 2004-03-31 2009-12-01 Packeteer, Inc. Methods, apparatuses and systems facilitating remote, automated deployment of network devices
US7664048B1 (en) * 2003-11-24 2010-02-16 Packeteer, Inc. Heuristic behavior pattern matching of data flows in enhanced network traffic classification
US7742406B1 (en) * 2004-12-20 2010-06-22 Packeteer, Inc. Coordinated environment for classification and control of network traffic
US7778194B1 (en) * 2004-08-13 2010-08-17 Packeteer, Inc. Examination of connection handshake to enhance classification of encrypted network traffic

Family Cites Families (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6816903B1 (en) * 1997-05-27 2004-11-09 Novell, Inc. Directory enabled policy management tool for intelligent traffic management
US6158010A (en) * 1998-10-28 2000-12-05 Crosslogix, Inc. System and method for maintaining security in a distributed computer network
US7246370B2 (en) * 2000-01-07 2007-07-17 Security, Inc. PDstudio design system and method
US6816456B1 (en) * 2000-02-04 2004-11-09 At&T Corp. Methods and apparatus for network use optimization
US20020093527A1 (en) * 2000-06-16 2002-07-18 Sherlock Kieran G. User interface for a security policy system and method
US7546629B2 (en) * 2002-03-06 2009-06-09 Check Point Software Technologies, Inc. System and methodology for security policy arbitration
US7299277B1 (en) * 2002-01-10 2007-11-20 Network General Technology Media module apparatus and method for use in a network monitoring environment
US8370936B2 (en) * 2002-02-08 2013-02-05 Juniper Networks, Inc. Multi-method gateway-based network security systems and methods
US7107613B1 (en) * 2002-03-27 2006-09-12 Cisco Technology, Inc. Method and apparatus for reducing the number of tunnels used to implement a security policy on a network
US7743143B2 (en) * 2002-05-03 2010-06-22 Oracle America, Inc. Diagnosability enhancements for multi-level secure operating environments
US7324447B1 (en) * 2002-09-30 2008-01-29 Packeteer, Inc. Methods, apparatuses and systems facilitating concurrent classification and control of tunneled and non-tunneled network traffic
US7296288B1 (en) * 2002-11-15 2007-11-13 Packeteer, Inc. Methods, apparatuses, and systems allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users
WO2004090675A2 (en) * 2003-04-03 2004-10-21 Commvault Systems, Inc. System and method for performing storage operations through a firewall
JP4222184B2 (en) * 2003-04-24 2009-02-12 日本電気株式会社 Security management support system, security management support method and program
US7684432B2 (en) * 2003-05-15 2010-03-23 At&T Intellectual Property I, L.P. Methods of providing data services over data networks and related data networks, data service providers, routing gateways and computer program products
US7599283B1 (en) * 2003-06-30 2009-10-06 Packeteer, Inc. Network traffic synchronization and data compression in redundant network topologies
US7366101B1 (en) * 2003-06-30 2008-04-29 Packeteer, Inc. Network traffic synchronization mechanism
US7324553B1 (en) * 2003-09-30 2008-01-29 Packeteer, Inc. Dynamic bandwidth management responsive to access link state in redundant network topologies
EP1690363A4 (en) * 2003-12-03 2012-02-08 Safend Ltd Method and system for improving computer network security
US7543052B1 (en) * 2003-12-22 2009-06-02 Packeteer, Inc. Automatic network traffic discovery and classification mechanism including dynamic discovery thresholds
US7353279B2 (en) * 2004-01-08 2008-04-01 Hughes Electronics Corporation Proxy architecture for providing quality of service(QoS) reservations
US7496661B1 (en) * 2004-03-29 2009-02-24 Packeteer, Inc. Adaptive, application-aware selection of differentiated network services
FR2872653B1 (en) * 2004-06-30 2006-12-29 Skyrecon Systems Sa SYSTEM AND METHODS FOR SECURING COMPUTER STATIONS AND / OR COMMUNICATIONS NETWORKS
KR100636177B1 (en) * 2004-09-20 2006-10-19 삼성전자주식회사 Method and system for managing output of policy based extensible markup language document
US7561515B2 (en) * 2004-09-27 2009-07-14 Intel Corporation Role-based network traffic-flow rate control
US20060149845A1 (en) * 2004-12-30 2006-07-06 Xinnia Technology, Llc Managed quality of service for users and applications over shared networks
US7675897B2 (en) * 2005-09-06 2010-03-09 Current Technologies, Llc Power line communications system with differentiated data services
US7558588B2 (en) * 2005-11-18 2009-07-07 Airvana, Inc. Resource allocation in a radio access network
US7747736B2 (en) * 2006-06-05 2010-06-29 International Business Machines Corporation Rule and policy promotion within a policy hierarchy

Patent Citations (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020122394A1 (en) * 1995-06-01 2002-09-05 Padcom. Inc. Port routing functionality
US6345039B1 (en) * 1996-10-30 2002-02-05 Mitsubishi Denki Kabushiki Kaisha Device and method for controlling ATM traffic
US6038216A (en) * 1996-11-01 2000-03-14 Packeteer, Inc. Method for explicit data rate control in a packet communication environment without data rate supervision
US5802106A (en) * 1996-12-06 1998-09-01 Packeteer, Inc. Method for rapid data rate detection in a packet communication environment without data rate supervision
US6285658B1 (en) * 1996-12-09 2001-09-04 Packeteer, Inc. System for managing flow bandwidth utilization at network, transport and application layers in store and forward network
US6023456A (en) * 1996-12-23 2000-02-08 Nortel Networks Corporation Dynamic traffic conditioning
US6018516A (en) * 1997-11-14 2000-01-25 Packeteer, Inc. Method for minimizing unneeded retransmission of packets in a packet communication environment supporting a plurality of data link rates
US6078953A (en) * 1997-12-29 2000-06-20 Ukiah Software, Inc. System and method for monitoring quality of service over network
US6859438B2 (en) * 1998-02-03 2005-02-22 Extreme Networks, Inc. Policy based quality of service
US6594265B1 (en) * 1998-11-10 2003-07-15 International Business Machines Corporation Method and system in an asynchronous transfer mode (ATM) network for providing an available bit rate interface to a continuous bit rate virtual path connection with adjustable bandwidth
US6657991B1 (en) * 1998-12-21 2003-12-02 3Com Corporation Method and system for provisioning network addresses in a data-over-cable system
US6798743B1 (en) * 1999-03-22 2004-09-28 Cisco Technology, Inc. Packet prioritization processing technique for routing traffic in a packet-switched computer network
US6598034B1 (en) * 1999-09-21 2003-07-22 Infineon Technologies North America Corp. Rule based IP data processing
US6816492B1 (en) * 2000-07-31 2004-11-09 Cisco Technology, Inc. Resequencing packets at output ports without errors using packet timestamps and timestamp floors
US20020194369A1 (en) * 2001-03-20 2002-12-19 Worldcom, Inc. Policy-based synchronization of per-class resources between routers in a data network
US20060087969A1 (en) * 2001-05-04 2006-04-27 Slt Logic Llc System and method for hierarchical policing of flows and subflows of a data stream
US20020186661A1 (en) * 2001-05-04 2002-12-12 Terago Communications, Inc. System and method for hierarchical policing of flows and subflows of a data stream
US7433304B1 (en) * 2002-09-06 2008-10-07 Packeteer, Inc. Classification data structure enabling multi-dimensional network traffic classification and control schemes
US7257834B1 (en) * 2002-10-31 2007-08-14 Sprint Communications Company L.P. Security framework data scheme
US7394809B2 (en) * 2003-03-31 2008-07-01 Intel Corporation Method and apparatus for packet classification using a forest of hash tables data structure
US20040190526A1 (en) * 2003-03-31 2004-09-30 Alok Kumar Method and apparatus for packet classification using a forest of hash tables data structure
US7664048B1 (en) * 2003-11-24 2010-02-16 Packeteer, Inc. Heuristic behavior pattern matching of data flows in enhanced network traffic classification
US7626944B1 (en) * 2004-03-31 2009-12-01 Packeteer, Inc. Methods, apparatuses and systems facilitating remote, automated deployment of network devices
US7778194B1 (en) * 2004-08-13 2010-08-17 Packeteer, Inc. Examination of connection handshake to enhance classification of encrypted network traffic
US20060089988A1 (en) * 2004-10-22 2006-04-27 Davie Bruce S Mechanism for sharing resources among different senders and receivers
US7742406B1 (en) * 2004-12-20 2010-06-22 Packeteer, Inc. Coordinated environment for classification and control of network traffic
US7389377B2 (en) * 2005-06-22 2008-06-17 Netlogic Microsystems, Inc. Access control list processor

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10924483B2 (en) 2005-04-27 2021-02-16 Xilinx, Inc. Packet validation in virtual network interface architecture
US20070211644A1 (en) * 2006-03-07 2007-09-13 Ottamalika Iqlas M Graphical representation of the flow of a packet through a network device
US7898963B2 (en) * 2006-03-07 2011-03-01 Cisco Technology, Inc. Graphical representation of the flow of a packet through a network device
US20130159865A1 (en) * 2006-07-06 2013-06-20 John Kei Smith Method and System for Real-Time Visualization of Network Flow within Network Device
US9246772B2 (en) 2006-07-06 2016-01-26 LiveAction, Inc. System and method for network topology and flow visualization
US9240930B2 (en) 2006-07-06 2016-01-19 LiveAction, Inc. System for network flow visualization through network devices within network topology
US9350622B2 (en) * 2006-07-06 2016-05-24 LiveAction, Inc. Method and system for real-time visualization of network flow within network device
US8838753B1 (en) * 2006-08-10 2014-09-16 Bivio Networks, Inc. Method for dynamically configuring network services
US7734784B1 (en) * 2006-09-22 2010-06-08 Juniper Networks, Inc. Dynamic service activation using COPS-PR to support outsourcing and configuration models for policy control
US8010678B2 (en) 2006-09-22 2011-08-30 Juniper Networks, Inc. Dynamic service activation using COPS-PR to support outsourcing and configuration models for policy control
US7688752B2 (en) * 2006-10-27 2010-03-30 Samsung Electronics Co., Ltd. Scheduling method and system for guaranteeing real-time service quality of WiBro CPE
US20080225742A1 (en) * 2006-10-27 2008-09-18 Kyu-Ho Cho Scheduling method and system for guaranteeing real-time service quality of WiBro CPE
US20100146061A1 (en) * 2006-11-21 2010-06-10 Mattsson Sven Johan Evert John session process and system
US7849503B2 (en) * 2007-06-01 2010-12-07 Hewlett-Packard Development Company, L.P. Packet processing using distribution algorithms
US20080298392A1 (en) * 2007-06-01 2008-12-04 Mauricio Sanchez Packet processing
US9397949B2 (en) * 2011-04-18 2016-07-19 Nec Corporation Terminal, control device, communication method, communication system, communication module, program, and information processing device
US20130148500A1 (en) * 2011-04-18 2013-06-13 Kentaro Sonoda Terminal, control device, communication method, communication system, communication module, program, and information processing device
US9596182B2 (en) 2013-02-12 2017-03-14 Adara Networks, Inc. Controlling non-congestion controlled flows
US20140226475A1 (en) * 2013-02-12 2014-08-14 Adara Networks, Inc. Controlling congestion controlled flows
US10033644B2 (en) * 2013-02-12 2018-07-24 Adara Networks, Inc. Controlling congestion controlled flows
US20180375829A1 (en) * 2013-04-08 2018-12-27 Solarflare Communications, Inc. Locked down network interface
US10742604B2 (en) 2013-04-08 2020-08-11 Xilinx, Inc. Locked down network interface
US10243886B2 (en) 2014-01-02 2019-03-26 Cisco Technology, Inc. Bi-directional NAT traversal using endpoint assigned discriminators
US9819613B1 (en) * 2014-01-02 2017-11-14 vIPtela Inc. Bi-directional NAT traversal using endpoint assigned discriminators
US9450915B1 (en) * 2014-01-02 2016-09-20 vIPtela Inc. Bi-directional NAT traversal using endpoint assigned discriminators
US10104666B2 (en) * 2014-06-06 2018-10-16 Huawei Technologies Co., Ltd. Method and system for compensating for doubly selective channel and related apparatus
US20170094665A1 (en) * 2014-06-06 2017-03-30 Huawei Technologies Co., Ltd. Method and system for compensating for doubly selective channel and related apparatus
US11489876B2 (en) 2015-03-17 2022-11-01 Xilinx, Inc. System and apparatus for providing network security
US11165720B2 (en) 2017-12-19 2021-11-02 Xilinx, Inc. Network interface device
US11394768B2 (en) 2017-12-19 2022-07-19 Xilinx, Inc. Network interface device
US11394664B2 (en) 2017-12-19 2022-07-19 Xilinx, Inc. Network interface device
US11245623B2 (en) * 2019-12-26 2022-02-08 Samsung Electronics Co., Ltd. Method and apparatus for collecting data in network communication using concealed user address
WO2022206187A1 (en) * 2021-03-29 2022-10-06 华为技术有限公司 Packet traffic control method and apparatus, device, and computer-readable storage medium

Also Published As

Publication number Publication date
US7970899B2 (en) 2011-06-28
US7987267B2 (en) 2011-07-26
US20100031323A1 (en) 2010-02-04
US8069244B2 (en) 2011-11-29
US20100088741A1 (en) 2010-04-08
US20100088742A1 (en) 2010-04-08

Similar Documents

Publication Publication Date Title
US7970899B2 (en) Integrated data flow packet admission and traffic management apparatus
US9832169B2 (en) Method and system for communicating over a segmented virtual private network (VPN)
EP1333642B1 (en) Method and system for integrating performance enhancing functions in a virtual private network (VPN)
US7643416B2 (en) Method and system for adaptively applying performance enhancing functions
CN103229460B (en) For the system and method for service quality is provided via current control tunnel
US6978383B2 (en) Null-packet transmission from inside a firewall to open a communication window for an outside transmitter
US6728885B1 (en) System and method for network access control using adaptive proxies
US20030172264A1 (en) Method and system for providing security in performance enhanced network
US6219786B1 (en) Method and system for monitoring and controlling network access
US20030219022A1 (en) Method and system for utilizing virtual private network (VPN) connections in a performance enhanced network
US20040028047A1 (en) Switch for local area network
US7746901B2 (en) Method and system for offloaded transport layer protocol switching
US11329959B2 (en) Virtual routing and forwarding (VRF)-aware socket
US20080104688A1 (en) System and method for blocking anonymous proxy traffic
JP2003523141A (en) Selective spoofer and method for selective spoofing
Cisco Network-Based Application Recognition
Headquarters Classifying Network Traffic Using NBAR
Gascón et al. Designing a broadband residential gateway using click! modular router

Legal Events

Date Code Title Description
AS Assignment

Owner name: CONVERGED ACCESS, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WIRYAMAN, SANTA;SRIDHAR, MANICKAM;REEL/FRAME:018189/0865

Effective date: 20060824

AS Assignment

Owner name: BARRACUDA NETWORKS, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CONVERGED ACCESS, INC.;REEL/FRAME:022151/0795

Effective date: 20081016

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: SILICON VALLEY BANK, CALIFORNIA

Free format text: SECURITY INTEREST;ASSIGNOR:BARRACUDA NETWORKS, INC.;REEL/FRAME:029218/0107

Effective date: 20121003

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: BARRACUDA NETWORKS, INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT;REEL/FRAME:045027/0870

Effective date: 20180102

AS Assignment

Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW YORK

Free format text: FIRST LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:BARRACUDA NETWORKS, INC.;REEL/FRAME:045327/0877

Effective date: 20180212

Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW YORK

Free format text: SECOND LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:BARRACUDA NETWORKS, INC.;REEL/FRAME:045327/0934

Effective date: 20180212

Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW Y

Free format text: SECOND LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:BARRACUDA NETWORKS, INC.;REEL/FRAME:045327/0934

Effective date: 20180212

Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW Y

Free format text: FIRST LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:BARRACUDA NETWORKS, INC.;REEL/FRAME:045327/0877

Effective date: 20180212

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552)

Year of fee payment: 8

AS Assignment

Owner name: BARRACUDA NETWORKS, INC., CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST IN INTELLECTUAL PROPERTY RECORDED AT R/F 045327/0934;ASSIGNOR:GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT;REEL/FRAME:048895/0841

Effective date: 20190415

AS Assignment

Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW YORK

Free format text: SECOND LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:BARRAUDA NETWORKS, INC.;REEL/FRAME:054260/0746

Effective date: 20201030

AS Assignment

Owner name: BARRACUDA NETWORKS, INC., CALIFORNIA

Free format text: RELEASE OF SECOND LIEN SECURITY INTEREST IN IP RECORDED AT R/F 054260/0746;ASSIGNOR:GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT;REEL/FRAME:061521/0086

Effective date: 20220815

Owner name: BARRACUDA NETWORKS, INC., CALIFORNIA

Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN IP RECORDED AT R/F 045327/0877;ASSIGNOR:GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT;REEL/FRAME:061179/0602

Effective date: 20220815

AS Assignment

Owner name: KKR LOAN ADMINISTRATION SERVICES LLC, AS COLLATERAL AGENT, NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:BARRACUDA NETWORKS, INC.;REEL/FRAME:061377/0231

Effective date: 20220815

Owner name: UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT, CONNECTICUT

Free format text: SECURITY INTEREST;ASSIGNOR:BARRACUDA NETWORKS, INC.;REEL/FRAME:061377/0208

Effective date: 20220815

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12